@tenxyte/core 0.9.0 → 0.9.3

package/src/modules/b2b.ts

@@ -1,177 +0,0 @@
-import { TenxyteHttpClient } from '../http/client';
-import { Organization, PaginatedResponse } from '../types';
-
-export interface OrgMembership {
-    id: number;
-    user_id: number;
-    email: string;
-    first_name: string;
-    last_name: string;
-    role: { code: string; name: string };
-    joined_at: string;
-}
-
-export interface OrgTreeNode {
-    id: number;
-    name: string;
-    slug: string;
-    children: OrgTreeNode[];
-}
-
-export class B2bModule {
-    private currentOrgSlug: string | null = null;
-
-    constructor(private client: TenxyteHttpClient) {
-        // Register an interceptor to auto-inject the X-Org-Slug header
-        this.client.addRequestInterceptor((config) => {
-            if (this.currentOrgSlug) {
-                config.headers = {
-                    ...config.headers,
-                    'X-Org-Slug': this.currentOrgSlug,
-                };
-            }
-            return config;
-        });
-    }
-
-    // ─── Context Management ───
-
-    /**
-     * Set the active Organization context.
-     * Subsequent API requests will automatically include the `X-Org-Slug` header.
-     * @param slug - The unique string identifier of the organization.
-     */
-    switchOrganization(slug: string): void {
-        this.currentOrgSlug = slug;
-    }
-
-    /**
-     * Clear the active Organization context, dropping the `X-Org-Slug` header for standard User operations.
-     */
-    clearOrganization(): void {
-        this.currentOrgSlug = null;
-    }
-
-    /** Get the currently active Organization slug context if set. */
-    getCurrentOrganizationSlug(): string | null {
-        return this.currentOrgSlug;
-    }
-
-    // ─── Organizations CRUD ───
-
-    /** Create a new top-level or child Organization in the backend. */
-    async createOrganization(data: {
-        name: string;
-        slug?: string;
-        description?: string;
-        parent_id?: number;
-        metadata?: Record<string, unknown>;
-        max_members?: number;
-    }): Promise<Organization> {
-        return this.client.post('/api/v1/auth/organizations/', data);
-    }
-
-    /** List organizations the currently authenticated user belongs to. */
-    async listMyOrganizations(params?: {
-        search?: string;
-        is_active?: boolean;
-        parent?: string;
-        ordering?: string;
-        page?: number;
-        page_size?: number;
-    }): Promise<PaginatedResponse<Organization>> {
-        return this.client.get('/api/v1/auth/organizations/', { params });
-    }
-
-    /** Retrieve details about a specific organization by slug. */
-    async getOrganization(slug: string): Promise<Organization> {
-        return this.client.get(`/api/v1/auth/organizations/${slug}/`);
-    }
-
-    /** Update configuration and metadata of an Organization. */
-    async updateOrganization(slug: string, data: Partial<{
-        name: string;
-        slug: string;
-        description: string;
-        parent_id: number | null;
-        metadata: Record<string, unknown>;
-        max_members: number;
-        is_active: boolean;
-    }>): Promise<Organization> {
-        return this.client.patch(`/api/v1/auth/organizations/${slug}/`, data);
-    }
-
-    /** Permanently delete an Organization. */
-    async deleteOrganization(slug: string): Promise<{ message: string }> {
-        return this.client.delete(`/api/v1/auth/organizations/${slug}/`);
-    }
-
-    /** Retrieve the topology subtree extending downward from this point. */
-    async getOrganizationTree(slug: string): Promise<OrgTreeNode> {
-        return this.client.get(`/api/v1/auth/organizations/${slug}/tree/`);
-    }
-
-    // ─── Member Management ───
-
-    /** List users bound to a specific Organization. */
-    async listMembers(slug: string, params?: {
-        search?: string;
-        role?: 'owner' | 'admin' | 'member';
-        status?: 'active' | 'inactive' | 'pending';
-        ordering?: string;
-        page?: number;
-        page_size?: number;
-    }): Promise<PaginatedResponse<OrgMembership>> {
-        return this.client.get(`/api/v1/auth/organizations/${slug}/members/`, { params });
-    }
-
-    /** Add a user directly into an Organization with a designated role. */
-    async addMember(slug: string, data: {
-        user_id: number;
-        role_code: string;
-    }): Promise<OrgMembership> {
-        return this.client.post(`/api/v1/auth/organizations/${slug}/members/`, data);
-    }
-
-    /** Evolve or demote an existing member's role within the Organization. */
-    async updateMemberRole(slug: string, userId: number, roleCode: string): Promise<OrgMembership> {
-        return this.client.patch(`/api/v1/auth/organizations/${slug}/members/${userId}/`, { role_code: roleCode });
-    }
-
-    /** Kick a user out of the Organization. */
-    async removeMember(slug: string, userId: number): Promise<{ message: string }> {
-        return this.client.delete(`/api/v1/auth/organizations/${slug}/members/${userId}/`);
-    }
-
-    // ─── Invitations ───
-
-    /** Send an onboarding email invitation to join an Organization. */
-    async inviteMember(slug: string, data: {
-        email: string;
-        role_code: string;
-        expires_in_days?: number;
-    }): Promise<{
-        id: number;
-        email: string;
-        role: string;
-        token: string;
-        expires_at: string;
-        invited_by: { id: number; email: string };
-        organization: { id: number; name: string; slug: string };
-    }> {
-        return this.client.post(`/api/v1/auth/organizations/${slug}/invitations/`, data);
-    }
-
-    /** Fetch a definition matrix of what Organization-level roles can be assigned. */
-    async listOrgRoles(): Promise<Array<{
-        code: string;
-        name: string;
-        description: string;
-        weight: number;
-        permissions: Array<{ code: string; name: string; description: string }>;
-        is_system_role: boolean;
-        created_at: string;
-    }>> {
-        return this.client.get('/api/v1/auth/organizations/roles/');
-    }
-}

package/src/modules/rbac.ts

@@ -1,207 +0,0 @@
-import { TenxyteHttpClient } from '../http/client';
-import { decodeJwt, DecodedTenxyteToken } from '../utils/jwt';
-
-export interface Role {
-    id: string;
-    name: string;
-    description?: string;
-    is_default?: boolean;
-    permissions?: string[];
-}
-
-export interface Permission {
-    id: string;
-    code: string;
-    name: string;
-    description?: string;
-}
-
-export class RbacModule {
-    private cachedToken: string | null = null;
-
-    constructor(private client: TenxyteHttpClient) { }
-
-    /**
-     * Cache a decoded JWT payload locally to perform parameter-less synchronous permission checks.
-     * Usually invoked automatically by the system upon login or token refresh.
-     * @param token - The raw JWT access token encoded string.
-     */
-    setToken(token: string | null) {
-        this.cachedToken = token;
-    }
-
-    private getDecodedToken(token?: string): DecodedTenxyteToken | null {
-        const t = token || this.cachedToken;
-        if (!t) return null;
-        return decodeJwt(t);
-    }
-
-    // --- Synchronous Checks --- //
-
-    /**
-     * Synchronously deeply inspects the cached (or provided) JWT to determine if the user has a specific Role.
-     * @param role - The exact code name of the Role.
-     * @param token - (Optional) Provide a specific token overriding the cached one.
-     */
-    hasRole(role: string, token?: string): boolean {
-        const decoded = this.getDecodedToken(token);
-        if (!decoded?.roles) return false;
-        return decoded.roles.includes(role);
-    }
-
-    /**
-     * Evaluates if the active session holds AT LEAST ONE of the listed Roles.
-     * @param roles - An array of Role codes.
-     */
-    hasAnyRole(roles: string[], token?: string): boolean {
-        const decoded = this.getDecodedToken(token);
-        if (!decoded?.roles) return false;
-        return roles.some(r => decoded.roles!.includes(r));
-    }
-
-    /**
-     * Evaluates if the active session holds ALL of the listed Roles concurrently.
-     * @param roles - An array of Role codes.
-     */
-    hasAllRoles(roles: string[], token?: string): boolean {
-        const decoded = this.getDecodedToken(token);
-        if (!decoded?.roles) return false;
-        return roles.every(r => decoded.roles!.includes(r));
-    }
-
-    /**
-     * Synchronously deeply inspects the cached (or provided) JWT to determine if the user has a specific granular Permission.
-     * @param permission - The exact code name of the Permission (e.g., 'invoices.read').
-     */
-    hasPermission(permission: string, token?: string): boolean {
-        const decoded = this.getDecodedToken(token);
-        if (!decoded?.permissions) return false;
-        return decoded.permissions.includes(permission);
-    }
-
-    /**
-     * Evaluates if the active session holds AT LEAST ONE of the listed Permissions.
-     */
-    hasAnyPermission(permissions: string[], token?: string): boolean {
-        const decoded = this.getDecodedToken(token);
-        if (!decoded?.permissions) return false;
-        return permissions.some(p => decoded.permissions!.includes(p));
-    }
-
-    /**
-     * Evaluates if the active session holds ALL of the listed Permissions concurrently.
-     */
-    hasAllPermissions(permissions: string[], token?: string): boolean {
-        const decoded = this.getDecodedToken(token);
-        if (!decoded?.permissions) return false;
-        return permissions.every(p => decoded.permissions!.includes(p));
-    }
-
-    // --- Roles CRUD --- //
-
-    /** Fetch all application global Roles structure */
-    async listRoles(): Promise<Role[]> {
-        return this.client.get<Role[]>('/api/v1/auth/roles/');
-    }
-
-    /** Create a new architectural Role inside Tenxyte */
-    async createRole(data: { name: string; description?: string; permission_codes?: string[]; is_default?: boolean }): Promise<Role> {
-        return this.client.post<Role>('/api/v1/auth/roles/', data);
-    }
-
-    /** Get detailed metadata defining a single bounded Role */
-    async getRole(roleId: string): Promise<Role> {
-        return this.client.get<Role>(`/api/v1/auth/roles/${roleId}/`);
-    }
-
-    /** Modify properties bounding a Role */
-    async updateRole(roleId: string, data: { name?: string; description?: string; permission_codes?: string[]; is_default?: boolean }): Promise<Role> {
-        return this.client.put<Role>(`/api/v1/auth/roles/${roleId}/`, data);
-    }
-
-    /** Unbind and destruct a Role from the global Tenant. (Dangerous, implies cascading permission unbindings) */
-    async deleteRole(roleId: string): Promise<void> {
-        return this.client.delete<void>(`/api/v1/auth/roles/${roleId}/`);
-    }
-
-    // --- Role Permissions Management --- //
-
-    async getRolePermissions(roleId: string): Promise<Permission[]> {
-        return this.client.get<Permission[]>(`/api/v1/auth/roles/${roleId}/permissions/`);
-    }
-
-    async addPermissionsToRole(roleId: string, permission_codes: string[]): Promise<void> {
-        return this.client.post<void>(`/api/v1/auth/roles/${roleId}/permissions/`, { permission_codes });
-    }
-
-    async removePermissionsFromRole(roleId: string, permission_codes: string[]): Promise<void> {
-        return this.client.delete<void>(`/api/v1/auth/roles/${roleId}/permissions/`, {
-            // Note: DELETE request with body is supported via our fetch wrapper if enabled,
-            // or we might need to rely on query strings. The schema specifies body or query.
-            // Let's pass it in body via a custom config or URL params.
-            body: { permission_codes }
-        } as any);
-    }
-
-    // --- Permissions CRUD --- //
-
-    /** Enumerates all available fine-grained Permissions inside this Tenant scope. */
-    async listPermissions(): Promise<Permission[]> {
-        return this.client.get<Permission[]>('/api/v1/auth/permissions/');
-    }
-
-    /** Bootstraps a new granular Permission flag (e.g. `billing.refund`). */
-    async createPermission(data: { code: string; name: string; description?: string; parent_code?: string }): Promise<Permission> {
-        return this.client.post<Permission>('/api/v1/auth/permissions/', data);
-    }
-
-    /** Retrieves an existing atomic Permission construct. */
-    async getPermission(permissionId: string): Promise<Permission> {
-        return this.client.get<Permission>(`/api/v1/auth/permissions/${permissionId}/`);
-    }
-
-    /** Edits the human readable description or structural dependencies of a Permission. */
-    async updatePermission(permissionId: string, data: { name?: string; description?: string }): Promise<Permission> {
-        return this.client.put<Permission>(`/api/v1/auth/permissions/${permissionId}/`, data);
-    }
-
-    /** Destroys an atomic Permission permanently. Any Roles referencing it will be stripped of this grant automatically. */
-    async deletePermission(permissionId: string): Promise<void> {
-        return this.client.delete<void>(`/api/v1/auth/permissions/${permissionId}/`);
-    }
-
-    // --- Direct Assignment (Users) --- //
-
-    /**
-     * Attach a given Role globally to a user entity.
-     * Use sparingly if B2B multi-tenancy contexts are preferred.
-     */
-    async assignRoleToUser(userId: string, roleCode: string): Promise<void> {
-        return this.client.post<void>(`/api/v1/auth/users/${userId}/roles/`, { role_code: roleCode });
-    }
-
-    /**
-     * Unbind a global Role from a user entity.
-     */
-    async removeRoleFromUser(userId: string, roleCode: string): Promise<void> {
-        return this.client.delete<void>(`/api/v1/auth/users/${userId}/roles/`, {
-            params: { role_code: roleCode }
-        });
-    }
-
-    /**
-     * Ad-Hoc directly attach specific granular Permissions to a single User, bypassing Role boundaries.
-     */
-    async assignPermissionsToUser(userId: string, permissionCodes: string[]): Promise<void> {
-        return this.client.post<void>(`/api/v1/auth/users/${userId}/permissions/`, { permission_codes: permissionCodes });
-    }
-
-    /**
-     * Ad-Hoc strip direct granular Permissions bindings from a specific User.
-     */
-    async removePermissionsFromUser(userId: string, permissionCodes: string[]): Promise<void> {
-        return this.client.delete<void>(`/api/v1/auth/users/${userId}/permissions/`, {
-            body: { permission_codes: permissionCodes }
-        } as any);
-    }
-}

package/src/modules/security.ts

@@ -1,313 +0,0 @@
-import { TenxyteHttpClient } from '../http/client';
-import { TenxyteUser, TokenPair } from '../types';
-import { base64urlToBuffer, bufferToBase64url } from '../utils/base64url';
-
-export class SecurityModule {
-    constructor(private client: TenxyteHttpClient) { }
-
-    // ─── 2FA (TOTP) Management ───
-
-    /**
-     * Get the current 2FA status for the authenticated user.
-     * @returns Information about whether 2FA is enabled and how many backup codes remain.
-     */
-    async get2FAStatus(): Promise<{ is_enabled: boolean; backup_codes_remaining: number }> {
-        return this.client.get('/api/v1/auth/2fa/status/');
-    }
-
-    /**
-     * Start the 2FA enrollment process.
-     * @returns The secret key and QR code URL to be scanned by an Authenticator app.
-     */
-    async setup2FA(): Promise<{
-        message: string;
-        secret: string;
-        manual_entry_key: string;
-        qr_code: string;
-        provisioning_uri: string;
-        backup_codes: string[];
-        warning: string;
-    }> {
-        return this.client.post('/api/v1/auth/2fa/setup/');
-    }
-
-    /**
-     * Confirm the 2FA setup by providing the first TOTP code generated by the Authenticator app.
-     * @param totpCode - The 6-digit code.
-     */
-    async confirm2FA(totpCode: string): Promise<{
-        message: string;
-        is_enabled: boolean;
-        enabled_at: string;
-    }> {
-        return this.client.post('/api/v1/auth/2fa/confirm/', { totp_code: totpCode });
-    }
-
-    /**
-     * Disable 2FA for the current user.
-     * Usually requires re-authentication or providing the active password/totp code.
-     * @param totpCode - The current 6-digit code to verify intent.
-     * @param password - (Optional) The user's password if required by backend policy.
-     */
-    async disable2FA(totpCode: string, password?: string): Promise<{
-        message: string;
-        is_enabled: boolean;
-        disabled_at: string;
-        backup_codes_invalidated: boolean;
-    }> {
-        return this.client.post('/api/v1/auth/2fa/disable/', { totp_code: totpCode, password });
-    }
-
-    /**
-     * Invalidate old backup codes and explicitly generate a new batch.
-     * @param totpCode - An active TOTP code to verify intent.
-     */
-    async regenerateBackupCodes(totpCode: string): Promise<{
-        message: string;
-        backup_codes: string[];
-        codes_count: number;
-        generated_at?: string;
-        warning: string;
-    }> {
-        return this.client.post('/api/v1/auth/2fa/backup-codes/', { totp_code: totpCode });
-    }
-
-    // ─── Verification OTP (Email / Phone) ───
-
-    /**
-     * Request an OTP code to be dispatched to the user's primary contact method.
-     * @param type - The channel type ('email' or 'phone').
-     */
-    async requestOtp(type: 'email' | 'phone'): Promise<{
-        message: string;
-        otp_id: number;
-        expires_at: string;
-        channel: 'email' | 'phone';
-        masked_recipient: string;
-    }> {
-        return this.client.post('/api/v1/auth/otp/request/', { type: type === 'email' ? 'email_verification' : 'phone_verification' });
-    }
-
-    /**
-     * Verify an email confirmation OTP.
-     * @param code - The numeric code received via email.
-     */
-    async verifyOtpEmail(code: string): Promise<{
-        message: string;
-        email_verified: boolean;
-        verified_at: string;
-    }> {
-        return this.client.post('/api/v1/auth/otp/verify/email/', { code });
-    }
-
-    /**
-     * Verify a phone confirmation OTP (SMS dispatch).
-     * @param code - The numeric code received via SMS.
-     */
-    async verifyOtpPhone(code: string): Promise<{
-        message: string;
-        phone_verified: boolean;
-        verified_at: string;
-        phone_number: string;
-    }> {
-        return this.client.post('/api/v1/auth/otp/verify/phone/', { code });
-    }
-
-    // ─── Password Sub-module ───
-
-    /**
-     * Triggers a password reset flow, dispatching an OTP to the target.
-     * @param target - Either an email address or a phone configuration payload.
-     */
-    async resetPasswordRequest(target: { email: string } | { phone_country_code: string; phone_number: string }): Promise<{ message: string }> {
-        return this.client.post('/api/v1/auth/password/reset/request/', target);
-    }
-
-    /**
-     * Confirm a password reset using the OTP dispatched by `resetPasswordRequest`.
-     * @param data - The OTP code and the new matching password fields.
-     */
-    async resetPasswordConfirm(data: {
-        email?: string;
-        phone_country_code?: string;
-        phone_number?: string;
-        otp_code: string;
-        new_password: string;
-        confirm_password: string;
-    }): Promise<{ message: string }> {
-        return this.client.post('/api/v1/auth/password/reset/confirm/', data);
-    }
-
-    /**
-     * Change password for an already authenticated user.
-     * @param currentPassword - The existing password to verify intent.
-     * @param newPassword - The distinct new password.
-     */
-    async changePassword(currentPassword: string, newPassword: string): Promise<{ message: string }> {
-        return this.client.post('/api/v1/auth/password/change/', {
-            current_password: currentPassword,
-            new_password: newPassword,
-        });
-    }
-
-    /**
-     * Evaluate the strength of a potential password against backend policies.
-     * @param password - The password string to test.
-     * @param email - (Optional) The user's email to ensure the password doesn't contain it.
-     */
-    async checkPasswordStrength(password: string, email?: string): Promise<{
-        score: number;
-        strength: string;
-        is_valid: boolean;
-        errors: string[];
-        requirements: {
-            min_length: number;
-            require_lowercase: boolean;
-            require_uppercase: boolean;
-            require_numbers: boolean;
-            require_special: boolean;
-        };
-    }> {
-        return this.client.post('/api/v1/auth/password/strength/', { password, email });
-    }
-
-    /**
-     * Fetch the password complexity requirements enforced by the Tenxyte backend.
-     */
-    async getPasswordRequirements(): Promise<{
-        requirements: Record<string, boolean | number>;
-        min_length: number;
-        max_length: number;
-    }> {
-        return this.client.get('/api/v1/auth/password/requirements/');
-    }
-
-    // ─── WebAuthn / Passkeys (FIDO2) ───
-
-    /**
-     * Register a new WebAuthn device (Passkey/Biometrics/Security Key) for the authenticated user.
-     * Integrates transparently with the browser `navigator.credentials` API.
-     * @param deviceName - Optional human-readable name for the device being registered.
-     */
-    async registerWebAuthn(deviceName?: string): Promise<{
-        message: string;
-        credential: {
-            id: number;
-            device_name: string;
-            created_at: string;
-        };
-    }> {
-        // 1. Begin registration
-        const optionsResponse = await this.client.post<any>('/api/v1/auth/webauthn/register/begin/');
-
-        // 2. Map options for the browser
-        const publicKeyOpts = optionsResponse.publicKey;
-        publicKeyOpts.challenge = base64urlToBuffer(publicKeyOpts.challenge);
-        publicKeyOpts.user.id = base64urlToBuffer(publicKeyOpts.user.id);
-        if (publicKeyOpts.excludeCredentials) {
-            publicKeyOpts.excludeCredentials.forEach((cred: any) => {
-                cred.id = base64urlToBuffer(cred.id);
-            });
-        }
-
-        // 3. Request credential creation from the Authenticator
-        const cred = await navigator.credentials.create({ publicKey: publicKeyOpts }) as PublicKeyCredential;
-        if (!cred) {
-            throw new Error('WebAuthn registration was aborted or failed.');
-        }
-
-        const response = cred.response as AuthenticatorAttestationResponse;
-
-        // 4. Complete registration on the backend
-        const completionPayload = {
-            device_name: deviceName,
-            credential: {
-                id: cred.id,
-                type: cred.type,
-                rawId: bufferToBase64url(cred.rawId),
-                response: {
-                    attestationObject: bufferToBase64url(response.attestationObject),
-                    clientDataJSON: bufferToBase64url(response.clientDataJSON),
-                },
-            },
-        };
-
-        return this.client.post('/api/v1/auth/webauthn/register/complete/', completionPayload);
-    }
-
-    /**
-     * Authenticate via WebAuthn (Passkey) without requiring a password.
-     * Integrates transparently with the browser `navigator.credentials` API.
-     * @param email - The email address identifying the user account (optional if discoverable credentials are used).
-     * @returns A session token pair and the user context upon successful cryptographic challenge verification.
-     */
-    async authenticateWebAuthn(email?: string): Promise<{
-        access: string;
-        refresh: string;
-        user: TenxyteUser;
-        message: string;
-        credential_used: string;
-    }> {
-        // 1. Begin authentication
-        const optionsResponse = await this.client.post<any>('/api/v1/auth/webauthn/authenticate/begin/', email ? { email } : {});
-
-        // 2. Map options for the browser
-        const publicKeyOpts = optionsResponse.publicKey;
-        publicKeyOpts.challenge = base64urlToBuffer(publicKeyOpts.challenge);
-        if (publicKeyOpts.allowCredentials) {
-            publicKeyOpts.allowCredentials.forEach((cred: any) => {
-                cred.id = base64urlToBuffer(cred.id);
-            });
-        }
-
-        // 3. Request assertion from the Authenticator
-        const cred = await navigator.credentials.get({ publicKey: publicKeyOpts }) as PublicKeyCredential;
-        if (!cred) {
-            throw new Error('WebAuthn authentication was aborted or failed.');
-        }
-
-        const response = cred.response as AuthenticatorAssertionResponse;
-
-        // 4. Complete authentication on the backend
-        const completionPayload = {
-            credential: {
-                id: cred.id,
-                type: cred.type,
-                rawId: bufferToBase64url(cred.rawId),
-                response: {
-                    authenticatorData: bufferToBase64url(response.authenticatorData),
-                    clientDataJSON: bufferToBase64url(response.clientDataJSON),
-                    signature: bufferToBase64url(response.signature),
-                    userHandle: response.userHandle ? bufferToBase64url(response.userHandle) : null,
-                },
-            },
-        };
-
-        return this.client.post('/api/v1/auth/webauthn/authenticate/complete/', completionPayload);
-    }
-
-    /**
-     * List all registered WebAuthn credentials for the active user.
-     */
-    async listWebAuthnCredentials(): Promise<{
-        credentials: Array<{
-            id: number;
-            device_name: string;
-            created_at: string;
-            last_used_at: string | null;
-            authenticator_type: string;
-            is_resident_key: boolean;
-        }>;
-        count: number;
-    }> {
-        return this.client.get('/api/v1/auth/webauthn/credentials/');
-    }
-
-    /**
-     * Delete a specific WebAuthn credential, removing its capability to sign in.
-     * @param credentialId - The internal ID of the credential to delete.
-     */
-    async deleteWebAuthnCredential(credentialId: number): Promise<void> {
-        return this.client.delete(`/api/v1/auth/webauthn/credentials/${credentialId}/`);
-    }
-}